[exim] Re: Uid used to access TLS-certificates

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhilip Hazel at <-
MPhilip Hazel at ->
Delete this message
Reply to this message
Author: Timo Neuvonen
Date:  
To: exim-users
Subject: [exim] Re: Uid used to access TLS-certificates
> Actually, Exim (strictly) doesn't read the certificate at all; it just
> passes the name of the file to the OpenSSH or GnuTLS library. It does
> this when it initializes the library. The library then chooses when to
> read the file. The library is initialized when the client issues
> STARTTLS. I suppose it could be initialized earlier, on spec, but that
> doesn't sound all that helpful.
>
I really shouldn't even think about tring to guide you how to write
software, but...

A workaround might be making a temporary working copies of the files at the
time of startup, when root privilegies are available, and granting 'exim'
user the access rights to the files thereafter. So these temporary files
could then be passed to the library. But I just don't know if it increased
security by any means, since there would be temporary copies of key and
certificate files hanging around the filesystem. If they could be just
pointers to some memory area allocated to exim, then things maybe were
different -then there would be no real file.

--
TiN




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] control = freeze working irrespective of ACL conditionsRe: [exim] OT - setting vacations->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)